Posts Tagged Enterprise Security

As news of the data breach at vBulletin.com and vBulletin.org made mainstream media news, it has left a lot of system administrators and forum administrators extremely nervous since almost one million usernames, emails, and passwords have been compromised.

Possible 0-Day?

Several news outlets have reported there is a Zero Day Remote Code Execution vulnerability affecting all iterations of vBulletin 4.x and vBulletin 5.x series that allows an attacker to execute arbitrary code on the server remotely.

The exploit is being sold for roughly $7,000.00 USD, payable only in virtual currencies Bitcoin and WebMoney. According to Brian Krebs at KrebsonSecurity, at least one individual has made the purchase.

As added proof of concepts, the following screenshots of the vBulletin database, sever shell, and tables have been released. We can confirm that the database information is indeed legitimate.

Historically when an exploit is sold, the exploit itself is, for the most part, tested and validated as a working exploit.

Several vBulletin forum communities, including the DEF CON Conference Forums, have been taken offline because of the vBulletin 0-Day in the wild and have chosen not to return until a patch is released.

Other forum communities have begun the massive task of migrating away from vBulletin as the issue appears to be growing exponentially.

Earlier yesterday, when confronted by vBulletin customers, it was unveiled that the attackers had access to the Magento customer database, which gave attackers access to customer billing addresses. Whether the access was utilized or not is still up for debate, however logs indicate that they were not accessed.

vBulletin Solutions, a wholly owned subsidiary of Internet Brands, denied the allegations of a real 0-day threat to vBulletin.

“Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin.

“These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software.” wrote Wayne Luke, vBulletin Technical Support Lead.

Whether this attack is related to the MacRumors.com data breach earlier in the month is still being debated among vBulletin customers given that MacRumors was running an older version of vBulletin.

Prepare for an attack?

For websites currently utilizing vBulletin, we recommend that all web application firewalls and defenses for servers hosting vBulletin be tuned to a much higher setting until the situation resolves. Server administrators are also encouraged to enable verbose logging to help with the incident response process.

Alternatively, vBulletin customers may choose to seek an alternative forum solution of their choosing.

Approximately 401,120 vBulletin.com and 503,204 vBulletin.org member accounts who post on each respective site are being asked to change their passwords after accounts on both websites were compromised in an attack.

How many victims? About 900,000

What type of personal information? Usernames, email addresses, and hashed passwords. It is unknown at this time if members area information and any personal identifiable customer information is at risk.

What was the response? An investigation is ongoing internally. Wayne Luke, vBulletin Technical Support Lead, posted about the attack, alerting users of the data breach and is encouraging users to update their passwords.

Details of attack: A development server, mainly used for quality assurance, was successfully broken into during the summer. Sometime between the summer and early October, the attackers successfully gained access to the primary database server, installed Adminer (formerly phpMinAdmin) and accessed the vBulletin.com and vBulletin.org user tables. At the conclusion of the attack, they deleted Adminer.

The log files that were examined do not show any attempted access of customer data in the support system and that they targeted the vBulletin user table. The log integrity is in question given that the attackers did delete evidence of their presence.

Quote: “We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Social Engineering has always been one of my favorite attack vectors when doing any penetration test. A big reason why our firm succeeds is that we as human beings forget the “Seven Deadly Sins”.

As I thought about social engineering attack vectors for previous engagements, I noticed I always had a few common attack vectors I utilized, but they always focused on a few key vectors that can always be attributed to the Seven Deadly Sins.

Lust – Those wonderful emails promising a wonderful time with beautiful women or a sexual temptation

Gluttony – Free Gift Cards to some retailer in some huge sum

Greed – Nigerian emails or those wonderful email scams promising lots of money (gift cards to retailers can also fall under this category)

Sloth – Easy money by working at home

Wrath – Maybe not so much outrage or anger towards an individual, but a situation or outcome, like poor orphans, or a major disaster situation like the recent Typhoon Haiyan

Envy – Free iPads, iPhones or some beautiful electronic device

Pride – Involves stroking one’s ego in the email, calling them a valuable person or asset and that they are needed. Insecurity is a form of pride, where rather than building one’s ego, they tear them down and make one feel insecure about themselves.

In all cases, they are all emotional outbursts that can motivate someone to donate in the spirit of aid such as Typhoon Haiyan, or play on someone’s envy because a friend has nice shiny toys that they desire.

Either way, be conscious about these social engineering attempts, in your business and personally. These seven social engineering attack vectors will always net at least one win and the adversary only needs a single win.

First, in the interest of fair disclosure, I am a vBulletin customer for close to 10+ years. While my criticisms may be harsh, there are justified given the level of incompetence I have witnessed in the last few years.

If you missed this article on Brian Krebs’s blog two weeks ago, it details an exploit that targets the installation folder of the vBulletin 4.x and vBulletin 5.x generation with an estimated 35,000 sites affected despite Internet Brands notifying customers.

If you run a forum or site powered by vBulletin, remove the “/install” and/or “/core/install” folders. If your vBulletin site still has those directories installed, check for new administrator accounts and any accounts that may have been whitelisted in config.php as super admins.

Criticism

Regardless of product one uses, Webmasters/Business Owners/Organizations should be employing best practices when it comes to vendor risk management. That includes signing up for their notifications in the event of a security flaws related to their products. Moreover, anyone who did their homework on Internet Brands would clearly know that the product is rubbish. The product is flawed in so many ways its not even funny.

Criticism of Internet Brands

First, we can all agree there are a set of industry best practices out there from coding to marketing. From my observations, Internet Brands has pretty much violated every conceivable best practice out there, and is a disaster beyond our imagination. This is the very same company who programmed vBulletin database credential leakage. Your database SQL username, password, server, and database name was revealed to the public if you looked it up at a forum owner’s frequently asked questions.

Yes site owners are responsible or their sites, but Internet Brands has no real concept of risk management, project management or information security. The sole purpose for them is to make money, and they will make money at the expense of your site’s information security. As a customer, I lost faith very quickly and terminated my usage of vBulletin immediately to not expose my sites to potential, and future security issues.

Moreover, their security notices downplayed the security threat. In an email Internet Brands wrote to its customers customers:

A potential exploit vector has been found in the vBulletin 4.1+ and 5.0+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, you should delete the install directory for your installation. This folder is not required for normal operation of vBulletin.

When one reads the email, the choice of words highlighted in bold leads customers to draw the wrong conclusions, including that the threat is not confirmed, and that it will be confirmed later. Moreover a customer should expect a confirmation should the security issue was confirmed, however that no immediate action was required. This miscommunication of the flaw was designed to protect Internet Brands however it also in the process the language chosen changed the risk from an actual risk to a potential risk.

Beyond the notification and communications to its customers, Internet Brands itself is responsible for the overall security of their product. That includes elements like the install directory. It is still the responsibility of Internet Brands to ensure that vBulletin is securely coded, using industry best practices to test, audit, and validate, and deliver a product that not only is coded well, but scales well.

Information security starts with your developers, your software vendors and continues with your developers and software vendors. It is (or rather, should be a required) part of software development life cycle. It isn’t easy to do, but the savings and return on investment are ten fold when it is integrated into your processes.

Do your homework on your software vendors. Yes they may claim security is at the top of their list, but I would “trust but verify”. But more so, don’t be cheap on information security. Going for checklist audits and assessments just to say you are secure is being cheap.

Your organization has a reputation to uphold. Information Security is an investment to your organization and welfare. Should you not wish to invest, be prepared for a number of sleepless nights ahead.

Summary:

Securely Code Your Products

Do your homework on your vendors

Your organization has a reputation. It can get tarnished for improper information security.

Information Security is not cheap. But it is well worth the investment in the long run.

In this followup video, it features a gentlemen assuming the identity of a random man he selects as his mark on Facebook. Using social media, he acquires information about his personal life, including people his mark knows in real life.

Using movie stage makeup, he assumes his mark’s complete physical attributes. He later physically stands before his mark. See the entire video below:

Be vigilant on who you add as a friend on social media. Moreover, do not overshare information. It is amazing what one can find on the internet. Anything you say on the internet can and will be used against you.

Remember, if you give a hacker a cookie, he (or she) is going to want a glass of milk